Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

releng: Update debian-base and debian-iptables to buster-v1.6.0 to patch base image CVEs #100976

Merged
merged 3 commits into from Apr 16, 2021
Merged

releng: Update debian-base and debian-iptables to buster-v1.6.0 to patch base image CVEs #100976

merged 3 commits into from Apr 16, 2021

Conversation

jindijamie
Copy link
Contributor

@jindijamie jindijamie commented Apr 9, 2021
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

debian-base to buster-v1.6.0
debian-iptables to buster-v1.6.0

Which issue(s) this PR fixes:

Fixes a bunch of CVEs
Debian-iptables buster-v1.5.0
Medium CVE-2021-23840
Medium CVE-2021-23841
Low CVE-2019-1551
Low CVE-2021-3449
Low CVE-2021-24032
Low CVE-2021-24031

Debian-base buster-v1.4.0
Low CVE-2021-24031
Low CVE-2021-24032

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Base image updates to mitigate kube-proxy and etcd container image CVEs
- debian-base to buster-v1.6.0
- debian-iptables to buster-v1.6.0

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 9, 2021
@k8s-ci-robot
Copy link
Contributor

Welcome @jindijamie!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @jindijamie. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/release-eng Issues or PRs related to the Release Engineering subproject labels Apr 9, 2021
@k8s-ci-robot k8s-ci-robot added area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 9, 2021
wespanther
wespanther reviewed Apr 12, 2021
View reviewed changes
build/dependencies.yaml Outdated
@@ -132,7 +132,7 @@ dependencies:

# Base images
- name: "k8s.gcr.io/debian-base: dependents"
version: buster-v1.4.0
version: buster-v1.5.0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we've actually just built a new one last week, debian-base is up to buster-v1.6.0 now.

@jindijamie jindijamie changed the title update debian-base to buster-v1.5.0 for CVEs and debian-iptables to buster-v1.6.0 update debian-base to buster-v1.6.0 for CVEs and debian-iptables to buster-v1.6.0 Apr 12, 2021
@cjcullen
Copy link
Member

/ok-to-test

Thanks for putting this together Di

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 12, 2021
@fedebongio
Copy link
Contributor

/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Apr 13, 2021
@jindijamie
Copy link
Contributor Author

/test

@k8s-ci-robot
Copy link
Contributor

@jindijamie: The /test command needs one or more targets.
The following commands are available to trigger jobs:

  • /test pull-kubernetes-conformance-image-test
  • /test pull-kubernetes-conformance-kind-ipv6-parallel
  • /test pull-kubernetes-dependencies
  • /test pull-kubernetes-dependencies-go-canary
  • /test pull-kubernetes-e2e-ipvs-azure-dualstack
  • /test pull-kubernetes-e2e-iptables-azure-dualstack
  • /test pull-kubernetes-files-remake
  • /test pull-kubernetes-e2e-gce
  • /test pull-kubernetes-e2e-gce-no-stage
  • /test pull-kubernetes-e2e-gce-kubetest2
  • /test pull-kubernetes-e2e-gce-canary
  • /test pull-kubernetes-e2e-gce-ubuntu
  • /test pull-kubernetes-e2e-gce-ubuntu-containerd
  • /test pull-kubernetes-e2e-gce-ubuntu-containerd-canary
  • /test pull-kubernetes-e2e-gce-alpha-features
  • /test pull-kubernetes-e2e-gce-device-plugin-gpu
  • /test pull-kubernetes-integration
  • /test pull-kubernetes-integration-go-canary
  • /test pull-kubernetes-cross
  • /test pull-kubernetes-e2e-kind
  • /test pull-kubernetes-e2e-kind-canary
  • /test pull-kubernetes-e2e-kind-ipv6
  • /test pull-kubernetes-e2e-kind-ipv6-canary
  • /test pull-kubernetes-conformance-kind-ga-only
  • /test pull-kubernetes-conformance-kind-ga-only-parallel
  • /test pull-kubernetes-e2e-kops-aws
  • /test pull-kubernetes-bazel-build-canary
  • /test pull-kubernetes-bazel-test-canary
  • /test pull-kubernetes-bazel-test-integration-canary
  • /test pull-kubernetes-local-e2e
  • /test pull-kubernetes-unit
  • /test pull-kubernetes-unit-experimental
  • /test pull-publishing-bot-validate
  • /test pull-kubernetes-e2e-aks-engine-windows-dockershim
  • /test pull-kubernetes-e2e-aks-engine-windows-containerd
  • /test pull-kubernetes-e2e-aks-engine-azure-disk-windows-dockershim
  • /test pull-kubernetes-e2e-aks-engine-azure-file-windows-dockershim
  • /test pull-kubernetes-e2e-aks-engine-gpu-windows-dockershim
  • /test pull-kubernetes-e2e-aks-engine-azure-disk-windows-containerd
  • /test pull-kubernetes-e2e-aks-engine-azure-file-windows-containerd
  • /test pull-kubernetes-e2e-aks-engine-conformance
  • /test pull-kubernetes-e2e-aks-engine-azure-disk-vmas
  • /test pull-kubernetes-e2e-aks-engine-azure-disk-vmss
  • /test pull-kubernetes-e2e-aks-engine-azure-file
  • /test pull-kubernetes-e2e-gce-network-proxy-http-connect
  • /test pull-kubernetes-e2e-gce-network-proxy-grpc
  • /test pull-kubernetes-e2e-gci-gce-autoscaling
  • /test pull-kubernetes-e2e-kind-dual-canary
  • /test pull-kubernetes-e2e-kind-ipvs-dual-canary
  • /test pull-kubernetes-e2e-ubuntu-gce-network-policies
  • /test pull-kubernetes-e2e-gci-gce-ipvs
  • /test pull-kubernetes-node-e2e
  • /test pull-kubernetes-node-e2e-podutil
  • /test pull-kubernetes-e2e-containerd-gce
  • /test pull-kubernetes-node-e2e-containerd
  • /test pull-kubernetes-node-e2e-alpha
  • /test pull-kubernetes-node-kubelet-serial-cpu-manager
  • /test pull-kubernetes-node-kubelet-serial-topology-manager
  • /test pull-kubernetes-node-kubelet-serial-hugepages
  • /test pull-kubernetes-node-crio-cgrpv2-e2e
  • /test pull-kubernetes-node-crio-e2e
  • /test pull-kubernetes-node-kubelet-serial-memory-manager
  • /test pull-kubernetes-e2e-gce-100-performance
  • /test pull-kubernetes-e2e-gce-big-performance
  • /test pull-kubernetes-e2e-gce-correctness
  • /test pull-kubernetes-e2e-gce-large-performance
  • /test pull-kubernetes-kubemark-e2e-gce-big
  • /test pull-kubernetes-kubemark-e2e-gce-scale
  • /test pull-kubernetes-e2e-gce-storage-slow
  • /test pull-kubernetes-e2e-gce-storage-snapshot
  • /test pull-kubernetes-e2e-gce-csi-serial
  • /test pull-kubernetes-e2e-gce-iscsi
  • /test pull-kubernetes-e2e-gce-iscsi-serial
  • /test pull-kubernetes-e2e-gce-storage-disruptive
  • /test pull-kubernetes-typecheck
  • /test pull-kubernetes-verify-govet-levee
  • /test pull-kubernetes-verify
  • /test pull-kubernetes-verify-go-canary
  • /test pull-kubernetes-e2e-windows-gce

Use /test all to run the following jobs:

  • pull-kubernetes-conformance-kind-ipv6-parallel
  • pull-kubernetes-dependencies
  • pull-kubernetes-e2e-gce-ubuntu-containerd
  • pull-kubernetes-integration
  • pull-kubernetes-e2e-kind
  • pull-kubernetes-e2e-kind-ipv6
  • pull-kubernetes-conformance-kind-ga-only-parallel
  • pull-kubernetes-unit
  • pull-kubernetes-node-e2e
  • pull-kubernetes-node-crio-e2e
  • pull-kubernetes-e2e-gce-100-performance
  • pull-kubernetes-typecheck
  • pull-kubernetes-verify-govet-levee
  • pull-kubernetes-verify

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jindijamie
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 15, 2021
@justaugustus justaugustus changed the title update debian-base to buster-v1.6.0 for CVEs and debian-iptables to buster-v1.6.0 releng: Update debian-base and debian-iptables to buster-v1.6.0 to patch base image CVEs Apr 15, 2021
@justaugustus
Copy link
Member

Thanks for this update, @jindijamie!
/triage accepted
/sig release
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. sig/release Categorizes an issue or PR as relevant to SIG Release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 15, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 15, 2021
@justaugustus
Copy link
Member

For cluster/images/etcd:
/assign @jpbetz @wenjiaswe

For test/utils/image:
/assign @dims

@dims
Copy link
Member

dims commented Apr 15, 2021

@jindijamie can you please document which CVE(s) you had in mind in the PR body? thanks!

/approve
/lgtm

@jpbetz
Copy link
Contributor

jpbetz commented Apr 15, 2021

/approve

for etcd image

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, jindijamie, jpbetz, justaugustus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 15, 2021
@dims
Copy link
Member

dims commented Apr 15, 2021

/hold

please remove hold when this is ready @justaugustus

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 15, 2021
@jindijamie
Copy link
Contributor Author

@jindijamie can you please document which CVE(s) you had in mind in the PR body? thanks!
Done, thanks

@justaugustus
Copy link
Member

/hold cancel
🚀 :shipit:

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 16, 2021
@k8s-ci-robot k8s-ci-robot merged commit 3ed71cf into kubernetes:master Apr 16, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Apr 16, 2021
dghubble added a commit to poseidon/kubelet that referenced this pull request Apr 18, 2021
@dghubble
Update debian-iptables base from v1.5.0 to v1.6.0
ca54d2b 
* kubernetes/kubernetes#100976
@dghubble dghubble mentioned this pull request Apr 18, 2021
Merged
@github-actions github-actions bot mentioned this pull request Apr 21, 2021
Open
@jsturtevant jsturtevant added this to Done (v1.22) in SIG-Windows Apr 22, 2021
@wespanther wespanther mentioned this pull request Apr 23, 2021
Merged
k8s-ci-robot added a commit that referenced this pull request Apr 27, 2021
@k8s-ci-robot
Merge pull request #101438 from wespanther/automated-cherry-pick-of-#…
27202f8 
…100976-upstream-release-1.21

Automated cherry pick of #100976: releng: Update debian-base and debian-iptables to buster-v1.6.0 to patch base image CVEs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wespanther wespanther wespanther left review comments

@hasheddan hasheddan Awaiting requested review from hasheddan

@jpbetz jpbetz Awaiting requested review from jpbetz

Assignees

@dims dims

@jpbetz jpbetz

@justaugustus justaugustus

@wenjiaswe wenjiaswe

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG-Windows
  
Done (v1.22)
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@jindijamie @k8s-ci-robot @cjcullen @fedebongio @wespanther @justaugustus @dims @jpbetz @wenjiaswe